// Trust & Security Report
Hi Bob, Inc. (formerly Mosaic.tech, Inc. — acquired by HiBob February 2025)
Mosaic Finance: AI-powered FP&A (Financial Planning & Analysis) platform with 150+ pre-built metrics, 3-statement models, headcount planning, and scenario planning. Now integrated as the Finance module within HiBob's all-in-one HR + Payroll + Finance platform (Bob). Sub-products: Core HR (Bob), Talent, Payroll & Benefits, Planning, Finance (Mosaic), Bob AI Companion.
Certifications held
4
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on hibob.com“We undergo routine audits to receive updated SOC 2 Type II reports, available upon request and subject to a signed NDA.”
Verify on hibob.com“HiBob is ISO 27001:2022, ISO 27018:2019, and SOC2 Type 2 certified.”
Verify on hibob.com“ISO 27018:2019 certified. Resources available: ISO 27018:2019 Certificate.”
Verify on hibob.com“DPA available (pre-signed via DocuSign). Hi Bob, Inc. complies with the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework. Data stored primarily in AWS Ireland and AWS Frankfurt.”
> Show 7 unconfirmed / not-held certifications
source: hibob.comMentioned once in AI Trust Center page alongside other standards ('SOC2 type 2, and SOC1 type 2') but not listed or documented on the main security page. Cannot confirm as a standalone audit report.
source: hibob.comNo public evidence of ISO 27017 certification on vendor domain.
source: hibob.comMentioned once in AI Trust Center as one of several standards followed ('HiBob follows industry best practices, including...ISO42001') but no certificate details, audit date, scope, or accredited body are provided. Cannot confirm as a held certification; may be aspirational framing.
source: hibob.comMentioned only in the AI Trust Center page alongside other compliance standards but absent from the main security page. Pre-acquisition, mosaic.tech was explicitly described as 'not HIPAA or FedRAMP certified' by third-party assessors (cfoshortlist.com). Cannot confirm held for the post-acquisition integrated platform without explicit HiBob documentation.
source: hibob.comSecurity page states HiBob hosts data in 'AWS data centers that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant' — this is AWS's own certification, not HiBob's. HiBob itself makes no PCI DSS claim.
source: hibob.comNo public evidence of CSA STAR certification on vendor domain.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
AWS Ireland (primary), AWS Frankfurt/Germany (backup/DR). Privacy policy lists US, EU, UK, Australia, Canada, and Israel as possible processing locations for corporate/admin data.
AI Trust Center explicitly states: 'Our customers' data is not stored outside of the HiBob environment and is not used to train the third-party publicly accessible generative AI models. Customer data sent to AI providers is not stored or logged — ever. Data is processed strictly for the purpose of generating a response. No data is used to train AI models.' Admins can selectively disable or enable AI features per the AI Settings page. This zero-retention / no-training policy applies to the Bob AI Companion and all AI-powered features within the platform, which includes the Mosaic Finance module.
// Security controls
Encryption at rest
AES-256 via AWS KMS. Two layers: RDS data encryption (KMS AES-256) and application-layer encryption for financial and salary data (KMS AES-256)
hibob.comAccess controls
Role-based access control (RBAC). Production network access restricted to need-to-know with MFA. Least-privilege enforced.
hibob.comAuthentication
Native HiBob auth and/or Enterprise SSO (2FA recommended). MFA required for internal production access.
hibob.comPenetration testing
Annual third-party penetration tests on production and corporate networks. Summary available under NDA.
hibob.comData backup
At least daily backups of all data. Fully restorable for disaster recovery. DR location: AWS Frankfurt.
hibob.comSIEM and monitoring
24/7 SIEM with IDS/IPS. Dedicated globally distributed security team on call 24/7.
hibob.comVulnerability management
Continuous third-party dynamic scanning, static code analysis, OWASP Top 10 controls, annual secure code training for engineers.
hibob.comEmployee vetting
Reference checks, NDAs, and confidentiality agreements for all new hires and contractors.
hibob.comEU-US Data Privacy Framework
Hi Bob, Inc. is certified under EU-US DPF, UK Extension to EU-US DPF, and Swiss-US DPF
hibob.com// Products & data scope
data: Financial data including budgets, actuals, headcount costs, vendor spend, 3-statement financial models. Integrates with HR data (salaries, headcount) from HiBob Core.
Formerly independent mosaic.tech; acquired by HiBob February 2025 for $35M. mosaic.tech domain now redirects to hibob.com/finance/. Targets mid-market finance teams (Series A-C SaaS companies). Pricing: Analytics $3K-6K/mo, Planning $6K-12K/mo, Growth $12K-25K/mo.
data: Reads HR and finance data within the HiBob environment. Zero-retention policy: no data sent to AI providers is stored or used for training.
AI features are configurable per feature via admin AI Settings page. Admins can disable individual AI features. All AI features use pre-approved sub-processors.
data: Employee personal data, documents, time & attendance, workflows, onboarding/offboarding records.
Primary HR system of record. 5,000+ company customers. #1 Mid-Market HRMS per G2 2026.
data: Salary and compensation data, tax data, benefits data for UK and US payroll. Financial data encrypted separately with KMS AES-256.
Includes native UK payroll (acquired Pento 2024) and US payroll, plus integrations with global payroll providers.
data: Recruitment data, performance reviews, survey responses, learning records.
AI-powered surveys and calibration tools. Performance data feeds into Bob AI Companion insights.
// What to watch
- IDENTITY CONFLATION RISK: Slug 'mosaic' could be confused with at least three unrelated companies sharing the name: mosaicapp.com (resource/project management tool with its own Drata trust center), mosaicsmartdata.com (data analytics), and mosaic.pe. The vendor assessed here is specifically mosaic.tech (FP&A platform), now integrated into HiBob as hibob.com/finance/. Any cert attributed to mosaicapp.com or others must NOT be applied to this vendor.
- POST-ACQUISITION INTEGRATION: HiBob acquired mosaic.tech in February 2025 for $35M. All mosaic.tech URLs (including /security, /privacy-policy) now redirect with HTTP 301 to hibob.com. Assessment therefore covers HiBob's security posture. It is unclear whether HiBob's certs have been formally rescoped to include the Mosaic Finance product specifically, or whether the Finance module runs within the same certified environment as the core Bob platform.
- HIPAA POSSIBLE OVER-CLAIM: HIPAA is listed in the AI Trust Center page alongside other standards but is absent from the dedicated security page. Pre-acquisition, mosaic.tech was explicitly described as 'not HIPAA or FedRAMP certified' by third-party sources. Whether HiBob's HIPAA posture now covers the Finance module is unverified. Graded held=false until explicit documentation (BAA availability, audit scope) is provided.
- ISO 42001 UNVERIFIED: ISO/IEC 42001 (AI Management System) is mentioned once in the AI Trust Center page in a list of 'industry best practices' but no certificate, accreditation body, audit date, or scope statement is provided anywhere on the vendor domain. Graded held=false; may be aspirational.
- SOC 1 TYPE II UNVERIFIED: Mentioned only in AI Trust Center page alongside other standards. Not listed on the main security page. No report availability statement. Cannot confirm as a standalone audit.
- HOST-CERT AMBIGUITY: HiBob security page states data is hosted in 'AWS data centers that have been certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant.' PCI DSS and the infrastructure ISO/SOC certs cited are AWS's own certifications, not HiBob's. HiBob does not separately claim PCI DSS for its own services.
- NDA GATING: SOC 2 Type II report and penetration test summary both require a signed NDA to access. This is industry-standard practice but means no public independent verification is possible for the SOC 2 scope or opinion.
- AI GOVERNANCE MARKETING VS CERT: The AI Trust Center page uses certification-like language ('HiBob follows industry best practices, including ISO 27001, ISO27018, ISO42001, HIPAA, GDPR, SOC2 type 2, and SOC1 type 2') that implies all items are held certifications. In reality, only ISO 27001:2022, ISO 27018:2019, and SOC 2 Type II are explicitly confirmed on the security page. The remaining items may be frameworks followed rather than audited certifications.
// At a glance
Pricing model
Subscription SaaS. Mosaic Finance tiers: Analytics ~$3K-6K/mo, Planning ~$6K-12K/mo, Growth ~$12K-25K/mo plus $5K-15K implementation. Multi-year discounts of 40-50% reported. Post-acquisition pricing trajectory expected to increase 15-25% for new customers.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Hi Bob, Inc. (formerly Mosaic.tech, Inc. — acquired by HiBob February 2025)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
hibob.com